A blog to share security, networking and cloud related technology information as @vCloudernBeer picked up on his search for his destiny in the cloud. (LinkedIn: https://www.linkedin.com/in/chowanthony)

Sunday, March 15, 2015

Who do you trust? - nobody

It is
not about me. I do have faith in the human race and there are people that I
trust.

It is
about a new security model proposed by Forrester Research in 2010.

Traditional Network Security

The problem with the traditional network
security model is that it assumes anything outside the network is untrusted
while everything inside the network is trusted.Heavy emphasis is put at the edge for network access control.Once a user is in the network, there is not
much control.

There
is the Role Based Network Control (RBAC) in which based on the credential of a
user and sometimes based on where and when the user is trying to access the
network, a role is assigned to the user after the user successfully
authenticates with proper credential. It is more useful when RBAC is implemented at the application level. To implement RBAC at the network level, security control is still limited.

With
the proliferation of server virtualization, virtual machine can move from one
host to another host. This makes the
application of security control more difficult - where is the perimeter?

Before
we go on we need to spell out 2 definitions:

East-West
traffic: it is the traffic between servers within a datacenter

North-South
traffic: it is the traffic between client and server

Traditional
security model mostly tailor to north-south traffic and not much is done for
east-west traffic.

Zero Trust Security Model
The "Zero Trust" security model is proposed by John Kindervag, a senior research analyst at Forrester Research. His report can be found here (you have to paid to read the full report). Well, we can also listen to John Kindervag talk about this "Zero Trust" model here in YouTube. Actually the name of this security model captured the essence - "Trust no one". From the YouTube video, John Kindervag mentioned 3 concepts for "Zero Trust" security model:

All resources are accessed in a secure manner regardless of location

Access control is on a "need-to-know" basis and is strictly enforced

Inspect and log all traffic

To implement this on the traditional 3 tier network (access/aggregate/core) is not easy.

Today let's take a look at VMware and Cisco products that utilizes this "Zero Trust" security model. This security model also protects east-west traffic between servers.

VMware NSX is well known as a Software
Defined Network (SDN) feature.I have in
another post stating that NSX is also a security product and according to Chris
King, vice president of product marketing for VMware's Networking and Security
Business Unit, a lot of customers show interest in NSX because of its inherited
security feature because of it design.

NSX is a network virtualization platform and is able to automate, provision
and managed network connectivity in a data center.With NSX there are 3 levels of security that
can be accomplished:

Isolation

Segmentation

Advance Segmentation with 3rd party security partners

Isolation
In traditional network, Access Control List (ACL) is used for isolation. With a virtualized network, the virtual network is by default isolated from the physical network. Each virtualized network are also being isolated with one another. This follows the zero trust principle a the virtualized network level.

Segmentation
In NSX, there is a concept of micro-segmentation. In the traditional network segmentation is done through VLANs. With a virtualized network, segmentation is not limited to a VLAN but can be fine tuned to smaller group of virtualized resource or even to an individual virtual machine. In fact, as this will be explain again later in this post is that micro-segmentation is how VMware achieved the zero trust security principle.

Advanced Segmentation with 3rd party security partner
With service chaining, NSX in a virtualized network can direct the data traffic to 3rd party security appliances for deeper packet inspection and ACL parsing.

The main idea for NSX to accomplish the zero trust security model is to have a distributed firewall (one on each ESXi host) and that traffic is inspected before being sent out to the traffic. Even if 2 VMs are connected to the same vSwitch, the distributed firewall is going to inspect the data traffic before sending to the destination VM. Without the distributed firewall, the 2 virtual machines connected to the same vSwitch are able to pass traffic between each other.

This diagram explain the concept that with the distributed firewall implemented at the hypervisor level, we can accomplished the zero trust security model where all traffic is being inspected and filtered according to the security policy defined:

Traditional network security is network based, ACI decouples the security policy and segmentation from the network and defined "application friendly" policy model. Security policy model in ACI is not only MAC address and IP address or its port number. In ACI the security policy is defined by:

Devices with a common policy is put together as a group. It can be based on application friendly attributes such as OS, patch level, application type, application component or function. Endpoint Group once created can be used to define security zones, trust boundaries or risk profile. In ACI the default is no trust.

Policy Contract
The contract defines how data traffic is delivered between Endpoint Groups (EPG). This is is how the security rules are applied to devices regardless of where they are. In a virtualized environment, virtual machine migration is common. This contract defines filters and any associated action. This is similar to our traditional firewall rules which based on the 5 tuples. Policy contract enforcement for Endpoint Groups can be unidirectional or bidirectional.

Application Network Profile
In the diagram above this is stated as Service Chains. Service chaining is a concept in which it defines the flow of the data traffic from one network service to another service. Service chaining is a hot and important topic for Network Function Virtualization (NFV).

Trust and no trust
I believe the networking industry is catching up with the server and storage virtualization technology. In a network we should trust no one but in our daily life we should have a certain trust level to other people that we come into contact with. Everyday we are creating and updating out "Human Centric Profile" as to who and how much we can trust the people we know.